pulseaudio patch from Dan Walsh

Fixed template where it should have been interface
Replaced read_home and manage_home interfaces with read_home_files, manage_home_files and reduced access
Removed admin_dir reference
Replaced rtkit_daemon_system_domain with rtkit_scheduled
Fixed style / spacing issues
This commit is contained in:
Jeremy Solt 2010-03-23 15:51:04 -04:00 committed by Chris PeBenito
parent d279dd603f
commit 18683835fd
3 changed files with 111 additions and 14 deletions

View File

@ -1 +1,9 @@
HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)

View File

@ -18,7 +18,7 @@
interface(`pulseaudio_role',`
gen_require(`
type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
class dbus { send_msg };
class dbus { acquire_svc send_msg };
')
role $1 types pulseaudio_t;
@ -29,7 +29,7 @@ interface(`pulseaudio_role',`
ps_process_pattern($2, pulseaudio_t)
allow pulseaudio_t $2:process { signal signull };
allow $2 pulseaudio_t:process { signal signull };
allow $2 pulseaudio_t:process { signal signull sigkill };
ps_process_pattern(pulseaudio_t, $2)
allow pulseaudio_t $2:unix_stream_socket connectto;
@ -40,7 +40,7 @@ interface(`pulseaudio_role',`
userdom_manage_tmpfs_role($1, pulseaudio_t)
allow $2 pulseaudio_t:dbus send_msg;
allow pulseaudio_t $2:dbus send_msg;
allow pulseaudio_t $2:dbus { acquire_svc send_msg };
')
########################################
@ -98,7 +98,7 @@ interface(`pulseaudio_run',`
#
interface(`pulseaudio_exec',`
gen_require(`
type pulseaudio_exec_t;
type pulseaudio_exec_t;
')
can_exec($1,pulseaudio_exec_t)
@ -127,20 +127,78 @@ interface(`pulseaudio_dbus_chat',`
########################################
## <summary>
## pulsaudio connection template.
## Read pulseaudio homedir files
## </summary>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## Domain allowed access.
## </summary>
## </param>
#
interface(`pulseaudio_read_home_files',`
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
########################################
## <summary>
## Manage pulseaudio homedir files
## </summary>
## <param name="user_domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`pulseaudio_manage_home_files',`
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
########################################
## <summary>
## Allow domain to setattr on pulseaudio homedir
## </summary>
## <param name="user_domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`pulseaudio_setattr_home_dir',`
gen_require(`
type pulseaudio_home_t;
')
allow $1 pulseaudio_home_t:dir setattr;
')
#####################################
## <summary>
## Connect to pulseaudio over a unix domain
## stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`pulseaudio_stream_connect',`
gen_require(`
type pulseaudio_t;
type pulseaudio_t, pulseaudio_var_run_t;
')
files_search_pids($1)
allow $1 pulseaudio_t:process signull;
allow pulseaudio_t $1:process signull;
allow $1 pulseaudio_t:unix_stream_socket connectto;
stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
')

View File

@ -8,24 +8,51 @@ policy_module(pulseaudio, 1.1.1)
type pulseaudio_t;
type pulseaudio_exec_t;
init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
application_domain(pulseaudio_t, pulseaudio_exec_t)
role system_r types pulseaudio_t;
type pulseaudio_home_t;
userdom_user_home_content(pulseaudio_home_t)
type pulseaudio_tmpfs_t;
files_tmpfs_file(pulseaudio_tmpfs_t)
type pulseaudio_var_lib_t;
files_type(pulseaudio_var_lib_t)
type pulseaudio_var_run_t;
files_pid_file(pulseaudio_var_run_t)
########################################
#
# pulseaudio local policy
#
allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
allow pulseaudio_t self:fifo_file rw_file_perms;
allow pulseaudio_t self:unix_stream_socket create_stream_socket_perms;
allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
allow pulseaudio_t self:udp_socket create_socket_perms;
allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
userdom_search_user_home_dirs(pulseaudio_t)
manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
can_exec(pulseaudio_t, pulseaudio_exec_t)
kernel_getattr_proc(pulseaudio_t)
kernel_read_system_state(pulseaudio_t)
kernel_read_kernel_sysctls(pulseaudio_t)
@ -67,10 +94,7 @@ optional_policy(`
')
optional_policy(`
gnome_manage_config(pulseaudio_t)
')
optional_policy(`
dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
dbus_system_bus_client(pulseaudio_t)
dbus_session_bus_client(pulseaudio_t)
dbus_connect_session_bus(pulseaudio_t)
@ -92,6 +116,10 @@ optional_policy(`
')
')
optional_policy(`
rtkit_scheduled(pulseaudio_t)
')
optional_policy(`
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
@ -103,6 +131,9 @@ optional_policy(`
')
optional_policy(`
xserver_stream_connect(pulseaudio_t)
xserver_manage_xdm_tmp_files(pulseaudio_t)
xserver_read_xdm_lib_files(pulseaudio_t)
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')